[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
Andreas Hasenack
andreas at canonical.com
Wed Jul 19 20:51:55 UTC 2017
** Description changed:
[Impact]
+ The libapache2-mod-auth-pgsql module will trigger frequent segfaults in apache if used in conjunction with a CGI script.
- * An explanation of the effects of the bug on users and
-
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
[Test Case]
* install the packages on the Ubuntu release you are testing:
$ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
* create the database and populate it with the test user:
$ sudo -u postgres -H createdb userdb
$ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text, ApachePassword text);"
$ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu', 'secret');"
* Create the DB user the module will use and grant access to the user table:
$ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
$ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
* Create /etc/apache2/conf-available/authpgtest.conf with the following content:
Alias /authpgtest /export/scratch/authpgtest
<Directory /export/scratch/authpgtest/>
- Options +ExecCGI +FollowSymLinks
- AddHandler cgi-script .pl
- AuthType basic
- AuthName "My Auth"
- Require valid-user
- AuthBasicProvider pgsql
- Auth_PG_authoritative On
- Auth_PG_host 127.0.0.1
- Auth_PG_port 5432
- Auth_PG_user www
- Auth_PG_pwd password
- Auth_PG_database userdb
- Auth_PG_encrypted off
- Auth_PG_pwd_table UserLogin
- Auth_PG_uid_field Username
- Auth_PG_pwd_field ApachePassword
+ Options +ExecCGI +FollowSymLinks
+ AddHandler cgi-script .pl
+ AuthType basic
+ AuthName "My Auth"
+ Require valid-user
+ AuthBasicProvider pgsql
+ Auth_PG_authoritative On
+ Auth_PG_host 127.0.0.1
+ Auth_PG_port 5432
+ Auth_PG_user www
+ Auth_PG_pwd password
+ Auth_PG_database userdb
+ Auth_PG_encrypted off
+ Auth_PG_pwd_table UserLogin
+ Auth_PG_uid_field Username
+ Auth_PG_pwd_field ApachePassword
</Directory>
* Enable this new configuration:
$ sudo a2enconf authpgtest.conf
* Enable the auth-pgsql and cgi modules and then restart apache:
$ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
$ sudo service apache2 restart
* Create the CGI directory for our script:
$ sudo mkdir -p /export/scratch/authpgtest
* Create the CGI script /export/scratch/authpgtest/hw.pl with the following contents:
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello, World!\n";
* Make it executable:
$ sudo chmod 0755 /export/scratch/authpgtest/hw.pl
-
* Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times while tailing /var/log/apache/error.log. After a few tries it will fail, and apache will log a segfault:
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
curl: (52) Empty reply from server
In /var/log/apache2/error.log:
*** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x00007fa9340007c8 ***
[Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid 140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible coredump in /etc/apache2
-
- After installing the fixed libapache2-mod-auth-pgsql package, all attempts will work.
+ After installing the fixed libapache2-mod-auth-pgsql package, all
+ attempts will work.
- [Regression Potential]
+ [Regression Potential]
+ This patch is already being used in Ubuntu releases higher than trusty, all the way to artful, and also in Debian.
- * discussion of how regressions are most likely to manifest as a result
- of this change.
+ This is a very old module that hasn't been built in a while (see [other
+ info] below. It's possible that just by rebuilding it with the new
+ environment available in Trusty could introduce unknowns. Hopefully, if
+ that happens, it will be immediately noticed by the people who use it
+ and will test this SRU.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
- * and address these questions in advance
+ This module hasn't been rebuilt since vivid and seems unmaintained, being at version 2.0.3 since the precise days:
+ libapache2-mod-auth-pgsql | 2.0.3-5build2 | precise
+ libapache2-mod-auth-pgsql | 2.0.3-6 | trusty
+ libapache2-mod-auth-pgsql | 2.0.3-6.1 | vivid
+ libapache2-mod-auth-pgsql | 2.0.3-6.1 | xenial
+ libapache2-mod-auth-pgsql | 2.0.3-6.1 | yakkety
+ libapache2-mod-auth-pgsql | 2.0.3-6.1 | zesty
+ libapache2-mod-auth-pgsql | 2.0.3-6.1ubuntu1 | artful
+
+ - Debian's last changelog entry is from August 2013
+ - Fedora killed it in July 2011
+ - I couldn't find it in SuSE
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1272857
Title:
Double free in libapache2-mod-auth-pgsql causes Apache to crash
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions
More information about the Ubuntu-server-bugs
mailing list